WESPr-18: The International Workshop on Evidence-based Security and Privacy in the Wild 2018

We are delighted to announce that Emiliano Tramontana will present an invited talk titled “Developing Secure and Privacy-Preserving Applications”, and Eduardo B. Fernandez will present a mini-tutorial titled “Evaluating the degree of security of a system built using security patterns”, and Kenji Taguchi will present an invited talk.

[Workshop Abstract]

Cloud Computing has led to a global shift in the computing world and the paradigm itself is evolving as new functions or technologies become available. Intelligent and interactive environments like Internet of Things (IoT) have found application in various domains. Billions of smart devices are connected to the internet and are producing huge amounts of data, increasing both complexity and uncertainty of humans, physical objects and machine-learning modules, especially on security and privacy, which we should manage. We need to tackle such difficulties on security and privacy for complex systems in an uncertain world with a dependable way such as an evidence of model-based reasoning, argumentation, traceability or/and big data. Security evidences make a system trusted and dependable in a big data era.

This workshop aims to bring together researchers and practitioners in the areas of evidence based modelling, security patterns, reasoning, argumentation, traceability, forensic in big data for secure and privacy-aware software development for complex and uncertain systems to exchange ideas and preliminary results. Especially, we would like to discuss how to utilize security evidence in security engineering at the workshop.

The objective of the workshop reveals (1) important problems to be tackled for Security and Privacy on Complex and Uncertain Systems and (2) research challenges through presentations and the discussion. The topic includes security and privacy models, pattern-based security and privacy modelling, knowledge base for secure, reasoning, argumentation, traceability, forensic in big data and/or privacy-aware software development, security and privacy modelling and reasoning tools, and experiences for secure and/or privacy-aware software development.

[Invited Talk and Mini-Tutorial]

Generally, as users we trust services and applications and assume that personal data remain confidential within our personal mobile devices. We mostly believe that applications would not disclose data outside of our device, unless permission is asked. Moreover, we assume a benevolent behaviour of service providers on some server-side. Unexpectedly by most, there are many scenarios in which some personal data have been unknowingly collected by means of several mechanisms and attacks. Some seemingly innocuous mechanisms will be revealed that have played a part in performing data gathering. Best practices and patterns, as well as other state-of-the art countermeasures, can help reduce data disclosure, when they have been adopted to develop secure applications. Moreover, further code analyses can be helpful to assist developers in detecting whether all the desired security requirements have been properly put into place.

Minitutorial: Evaluating the degree of security of a system built using security patterns
Eduardo B. Fernandez (Florida Atlantic University)

A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of the final system. This makes it difficult to compare secure development approaches and if one adopts one of these approaches, it is hard to improve its security level. We have proposed a secure systems development methodology that uses security patterns. We present a way to demonstrate that a system built according to this methodology (or another methodology using patterns) is secure. We first give a summary of security patterns and of our methodology and then propose a metric for security for systems that have been built using patterns. We consider the use of threat enumeration and misuse patterns to perform this evaluation and we indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security.

Eduardo B. Fernandez (Eduardo Fernandez-Buglioni) is a professor in the Department of Computer Science and Engineering at Florida Atlantic University in Boca Raton, Florida, USA. He has published numerous papers on authorization models, object-oriented analysis and design, cloud computing, and security patterns. He has written four books on these subjects, the most recent being a book on security patterns; he is working now on a book on Cloud and IoT security patterns. He has lectured all over the world at both academic and industrial meetings. He has created and taught several graduate and undergraduate courses and industrial tutorials. His current interests include security patterns, cloud computing security, and cyber-physical systems security and safety, including IoT. He holds a MS degree in Electrical Engineering from Purdue University and a Ph.D. in Computer Science from UCLA. He is a Senior Member of the IEEE, and a Member of ACM. He is an active consultant for industry, including assignments with IBM, Allied Signal, Panasonic, Motorola, Lucent, Huawei, and others. More information in: http://faculty.eng.fau.edu/fernande

[Submission and Publication]

Research Full papers, reporting innovative and original research. Full papers are limited to 8 pages.

Industrial Full papers, presenting experience reports, industrial case studies, experiments, and experiences in practices showing important problems or useful knowledge for workshop attendees. Full papers are limited to 8 pages.

Position papers and future-trends papers, describing ongoing research, new results, and future emerging trends either in practice or in theory. This type of submissions is limited to 4 pages.

Tool demos from academic or industrial environments. Demos papers should include a link to the demo material are limited to 4 pages.

Every paper submission will be peer-reviewed by reviewers. Emphasis will be given on originality, usefulness, practicality, and/or new problems to be tackled. Papers must have overall quality and not have been previously published or be currently submitted elsewhere. If accepted, the paper must be presented as both oral talk and a poster at the workshop by one of the authors. Workshop paper submissions must be in English and conform to the IEEE Dual Column format. Accepted papers will be published as an CEUR-WS, which is indexed by DBLP.